CIT 480 Securing Computer Systems TCPIP Security Topics
- Slides: 32
CIT 480: Securing Computer Systems TCP/IP Security
Topics 1. 2. 3. 4. 5. 6. Internet Protocol (IP) IP Spoofing and Other Vulnerabilities ICMP Transmission Control Protocol (TCP) TCP Session Hijacking UDP
Internet Protocol (IP) Connectionless – Each packet is transported independently from other packets Unreliable – Delivery on a best effort basis – No acknowledgments Data link frame IP packet TCP or UDP packet – Packets may be lost, reordered, corrupted, or duplicated IP packets – Encapsulate TCP and UDP packets – Encapsulated into link-layer frames
IP Addresses 32 -bit integers that identify machine on net Dotted decimal notation: ii. jj. kk. ll DNS translates names to IP addresses 172 10101100 . 16 00010000 . 254 11111110 . 1 00000001 1 byte 32 bits = 4 bytes IPv 6 addresses are 128 -bit integers written like 2001: 0 db 8: 0000: ff 00: 0042: 8329
Network Address Translation Uses public IP addr to represent private IP. – Translates source IP in outgoing packets. – Translates dest IP in incoming packets. – Router keeps table of translations.
IP Address Geolocation • ISPs get blocks of IP addresses from ARIN. • ARIN database records where IP addresses are. • Application layer and time data may help reveal details. Check http: //www. findmyip. org/ for your location.
IP Header
IP Routing A router bridges two or more networks – Operates at the network layer. – Maintains tables to forward packets to the appropriate network. – Forwarding decisions based solely on the destination address. Routing table – Maps ranges of IP addresses to LANs or other gateway routers.
IP Routing Same IP address at each hop used to route data packet. New MAC address at each hop
IP Vulnerabilities 1. Unencrypted transmission – Eavesdropping possible at any intermediate host during routing. 2. No source authentication – Sender can spoof source address, making it difficult to trace packet back to attacker. 3. No integrity checking – Entire packet, header and payload, can be modified while en route to destination, enabling content forgeries, redirections, and man-in-the-middle attacks. 4. No bandwidth constraints – Large number of packets can be sent to Do. S target.
IP Spoofing is an attempt by an intruder to send packets from one IP address that appear to originate at another. • If victim trusts spoofed IP, then attacker trusted. • Tracking down attack leads to spoofed IP. Two basic forms of IP Spoofing • Blind Spoofing can be used from any source. • Non-Blind Spoofing must be on same subnet.
Blind Spoofing Attacker cannot see response packets, but – Some attacks, like Do. S do not want to receive response packets, and – Some responses can be guessed sufficiently accurately to carry on conversation, such as TCP hijacking attacks.
Network Tests with ICMP Internet Control Message Protocol (ICMP) – Used for network testing and debugging. – Simple messages encapsulated in single IP packets. – Considered a network layer protocol. ICMP-based Network Testing Tools – ping: sends echo request messages and provides statistics on roundtrip times and packet loss. – traceroute: sends series of ICMP packets with increasing TTL value to discover routes.
ICMP Do. S Attacks Ping of death – ICMP specifies messages must fit a single IP packet (64 KB). – Send a ping packet that exceeds maximum size using IP fragmentation. – Reassembled packet caused several operating systems to crash due to a buffer overflow. Smurf – Ping a broadcast address using a spoofed source address. Large number of responses sent to target whose address was spoofed.
Smurf Attack Amplifying Network echo response echo request echo response Attacker echo response Victim
TCP: Transmission Control Protocol Connection-oriented Must establish connection before sending data. 3 -way handshake. Reliable byte-stream TCP decides how to divide stream into packets. ACK, timeout, retransmit, reordering. 16 -bit source and destination ports. FTP(21), HTTP(80), POP(110), SMTP(25) Slide #17
TCP Reliability 1. Breaks data into best-sized chunks. 2. After sending segment, maintains timer; if no ACK within time limit, resends segment. 3. Sends ACK on receipt of packets. 4. Discards pkts on bad checkum of header and data. 5. Receiver resequences TCP segments, based on sequence numbers, allowing data to be reassembled correctly no matter what order. 6. Receiver discards duplicate segments. 7. Flow control: only sends as much data as receiver can process. Slide #18
TCP Header Slide #19
TCP Connection Establishment TCP 3 -Way Handshake Slide #20
SYN Floods Create many half-open connections to target – Send SYN packet – Ignore SYN+ACK response • (May spoof invalid source IP address for each SYN) Target connection table fills up, resulting in Do. S – 3 minute timeout for final ACK – all new TCP connections refused Defenses – Micro-connections (allocate few resources til see ACK) – SYN cookies store state in TCP ISN, not on server
TCP Connection Termination
TCP Session Killing RST – Need one valid TCP sequence number. – Send RST segment with spoofed IP address and valid sequence number. – May need to send multiple RST’s in case host receives TCP segment with your chosen sequence number before your RST segment. FIN – Need valid TCP sequence + ACK numbers. – Send FIN+ACK segment with spoofed IP address to terminate session. – Receive FIN packet in response, verifying kill if successful.
TCP Session Hijacking A TCP session hijacking attack is when an attacker takes control of an existing TCP session. The attacker must be able to – Spoof IP address of one side of connection. – Predict TCP sequence numbers. Gives threat access to authenticated sessions. Defenses: – Random initial TCP sequence numbers. – Use encrypted protocols like SSH, so attacker cannot interact with system due to inability to send properly encrypted traffic.
TCP Session Hijacking Steps 1. Guess TCP sequence numbers used in current session between two hosts. 2. Create desynchronized state so neither side of connection can talk to the other. 3. Send packet with correct SN + ACK with spoofed client IP address to server, containing attack.
ACK Storm • Noisy side effect of TCP session hijacking. • Both client and server ACK unacceptable packets with expected sequence number. • Each ACK is also unacceptable and generates another ACK response. • If network drops packet, no response made. • ACK storms create network congestion, leading to many dropped packets.
Covert Channels in TCP/IP Covert channels enable communication using techniques not meant for information exchange. Possible techniques include: – – Timing of packets (temporal channel). Size of packets. Unused header fields (header bit modulation). Hiding data in packet body. Covert channels may be able to be detected by – Too many packets of certain protocols (ICMP, DNS) – Too large packets from certain protocols – Multiple response packets for protocols like ICMP, DNS
Port Knocking Port knocking is a method of opening ports by making connections to a set of unused ports in a specified sequence. – Fairly secure against brute force attacks since there are 65536 k combinations, where k is the number of ports knocked – Susceptible to replay attacks. If a port knock is sniffed, then attacker can replay the knock. Used to hide ports from network scans. Can be used by defenders and attackers.
User Datagram Protocol (UDP) Stateless, unreliable layer 4 protocol. – Runs on top of IP. – Trades reliability for speed. Applications – Streaming audio/video. – TFTP (builds simple state on top of UDP. ) – DNS.
UDP Header Slide #30
Key Points 1. IP addresses seen by recipient unlike MAC – NAT hides many IP addresses behind one. 2. IP spoofing – Blind: do not see responses. – Non-blind: use sniffer to see responses. 3. Technical Do. S: ping of death, smurf, SYN flood 4. TCP session hijacking seizes authenticated session – Guess TCP sequence numbers based on ISN. – Desynchronize existing TCP session. – Threat resynchronizes with server, seizing control. 5. Cannot hijack encrypted sessions like ssh.
References 1. Carna Botnet, Internet Census 2012, http: //internetcensus 2012. bitbucket. org/p aper. html, 2012. 2. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. 3. Richard Stevens, TCP/IP Illustrated, Vol. 1, Addison-Wesley, 1994.
- 480+480
- Cit 595 upenn
- Cit 593 introduction to computer systems
- History of osi model
- Tcpip
- Modelo tcpip
- Osi vs tcp
- Tcp
- Tcp/ip logo
- Ganesh sittampalam
- Ois 7계층
- Securing information system
- Securing information systems
- Chapter 8 securing information systems
- Chapter 8 securing information systems
- Securing information systems
- Chapter 8 securing information systems
- Chapter 8 securing information systems
- Private securty
- Mcit 592
- Interesting topics in network security
- Security briefing example
- Software security topics
- Security meeting topics
- Embedded systems topics for presentation
- Sans mgt 433
- The most common form of securing channels is through.
- Securing network devices
- Securing frame communication in browsers
- Securing frame communication in browsers
- Chapter 8 securing the republic summary
- Securing windows 7
- Securing